Building Intel CPU Microcode Updates Directly into the Linux Kernel

DOTSLASHLINUX is proud to say that part of this article was added to the Gentoo Wiki

To achieve our dream of booting the kernel without an initrd/initramfs we have to build our CPU’s microcode updates directly into the linux kernel (removing any need for an initrd/initramfs). This is doable, but due to lack of documentation on the process, one may find this thing hard to do. Yes, I know, that’s why DOTSLASHLINUX was created xD.

For those who’d like to know, I’m using Gentoo Linux. Any distro will be fine though, as long as you can access your kernel’s source files. The version of the kernel’s source files that I’m using is 4.10.13.

I personally prefer make menuconfig as it’s better maintained and can be accessed from your terminal emulator or from a TTY. But as long as you can store your changes whenever you want, and go back and forth with the configuration menus then you’re good to go.

2. Enable CPU Microcode Loading Support

Navigate to Processor type and features and mark CONFIG_MICROCODE as built-in. You’ll receive two options now “Blue vs Red” microcode loading support or should I say CONFIG_MICROCODE_INTEL vs CONFIG_MICROCODE_AMD.

Notice how it says processor serial number: 0003-06C3-0000-0000-0000-0000. I’ve highlighted this part 0003-06C3.

Another way to do it, is to install dmidecode:

Gentoo Linux:

emerge --sync && emerge -av sys-apps/dmidecode

Void Linux:

xbps-install -Su && xbps-install -S dmidecode

Arch Linux:

pacman -Syu dmidecode

Now run:

dmidecode | grep -w ID

ID: 0
ID: 1
ID: 2
ID: 3
ID: 4
ID: C3 06 03 00 FF FB EB BF

As you can see, (C, 3, 6, 0) are popping wherever I looked. You may simply choose to stop here if the signature was pretty obvious to you and you could easily identify the correct microcode update file to use (in my case I can easily tell that it’s 06-3c-03).

Now we can use iucode_tool to identify the correct microcode update file (and with the magic of grep):

8 Comments

Hello, thank you for your articles, this one particularly!
To be sure to not miss one, can you make them available via rss ?

DOTSLASHLINUX

03/06/2017

@atbd, you’re most welcome! RSS feed is now available!

atbd

03/06/2017

By the way, I found a « method » to be sure about microcode signature:
* install iucode_tool (available on gentoo, i don’t know for others)
* run dmesg | grep microcode & search for signature
* run iucode_tool -L /lib/firmware/intel-ucode/ and grep the signature found in your dmesg

DOTSLASHLINUX

03/06/2017

@atbd, I agree that should be the most obvious way to get the signature;however, on some installations the output of “dmesg” may be a lot more that it can be truncated and the microcode part won’t be shown, another thing is that the user may reduce the verbosity of dmesg so the microcode updates won’t be shown.

The user might also be using a custom kernel build and has disabled “early microcode updates support” from his/her kernel.

The point is to get the signature from more than one source to successfully choose your microcode update file. Another way would be to choose all microcode update files and let the kernel pick the right one for you. That might work but still the article was intended to make things easier for the reader.

Thanks for your reply! Your suggestion is much appreciated!

rabbit

27/06/2017

Best article ever! Thank you a lot for your work! Great stuff!!!

DOTSLASHLINUX

27/06/2017

@rabbit, thanks a lot! Your feedback means a lot and it sure motivated me further more to continue writing useful articles. Really glad that you found this one helpful. And I’m proud to say that part of this article was added to the Gentoo wiki.

Joe

07/11/2017

Thanks for this.

But the folder intel-ucode does not exist on Arch Linux after installing the package. It just installs a .img file in /boot which works with initrd only I guess!

Any tips appreciated!

DOTSLASHLINUX

10/11/2017

@Joe, Thanks and I’m sorry to hear that. Arch linux tends to build the microcode update files as an image into the initramfs itself (which is the sane thing to do for a distribution targeting such a large user base). You can still manually download the microcode update files from Intel’s website (a 2-3MB microcode-date.tgz file) and extract it to ‘/lib/firmware’. Make sure that it’s owned by root:root and it has 755 permissions.

Hope that helps! Let me know if you have any more questions!

Leave A Comment

Become a Patron

If you liked the website and wanted to keep it up and running while remaining ads free then kindly consider supporting DOTSLASHLINUX on Patreon.